Enabling HSTS

HTTP Strict Transport Security is a very simple to deploy addition to HTTPS, it doesn’t enforce SSL itself but it uses pre-populated lists such as Google’s here. Allowing clients browsers to check against, simply that the site only delivers content over https://, with no exceptions, this ensures that Man in the Middle attacks are not possible. While the only possible vulnerability this site would have had for an MitM attack would be on the contact me page, it’s nice to see the shiny A+ compared to my old banks B rating.

for me it’s just an exercise and vanity, but as you can see it will be nice when the banks follow suit, as they are mostly really insecure (don’t online bank on public WiFi, really don’t do it till they start employing HSTS and stop using insecure cyphers).

The steps to enable HSTS for Apache

Enable Headers and restart Apache:

$ sudo a2enmod headers
$ sudo service apache2 restart

Make sure the site is serving all content over https / port 443, either in your vhost config with something like:

15552000 is about 6 months in seconds, and satisfies the ssllabs tests, lower will work for Google, even as low as 6 weeks, but as enabling HSTS is difficult to reverse, it will make little difference and you might as well earn an A+ rating.

Run a test at https://www.ssllabs.com/ssltest/analyze.html and check near the bottom for: